Best Practices

This guide provides recommendations for maximizing the effectiveness of your WebDecoy deployment.

Decoy Placement Strategies

Strategy 1: Defense in Depth

Deploy multiple layers of decoys:

Layer 1: Visible to crawlers only (robots.txt, hidden links)
    │
Layer 2: JavaScript-accessible (hidden DOM elements)
    │
Layer 3: API honeypots (fake endpoints)
    │
Layer 4: Form honeypots (invisible fields)

Strategy 2: Realistic Naming

Choose paths that attackers target:

Good (realistic):

/admin/backup.zip
/api/v1/admin/users
/wp-config.php.bak
/.env
/db/export.sql

Bad (obvious):

/honeypot.html
/fake-admin
/trap-page

Strategy 3: Strategic Placement

Location	Best For	Example
robots.txt	Malicious crawlers	`Disallow: /admin-backup/`
HTML comments	Source code scanners	`<!-- backup: /old/admin.zip -->`
Hidden links	Automated crawlers	CSS `display:none` link
Form fields	Spam bots	Invisible `website` field
API paths	API scanners	`/api/debug`, `/graphql/admin`

Strategy 4: Decoy Distribution

Spread decoys across your infrastructure:

Area	Decoys Per Area	Priority
Login/Auth	2-3	High
Admin areas	3-5	High
APIs	2-4	High
Content areas	1-2	Medium
Static assets	1-2	Low

Common Decoy Paths

Based on what attackers commonly target:

# Admin Discovery
/admin/
/administrator/
/wp-admin/
/admin.php
/manager/

# Backup Files
/backup.zip
/backup.sql
/database.sql
/db_backup.tar.gz
/site-backup.zip

# Configuration
/.env
/config.php
/wp-config.php.bak
/settings.json
/.git/config

# Debug/Test
/debug/
/phpinfo.php
/test.php
/info.php
/.debug

# API
/api/admin/
/api/debug/
/api/config/
/graphql/admin/
/api/v1/internal/

Reducing False Positives

Tune Detection Sensitivity

Situation	Recommended Sensitivity	Block Threshold
High traffic, public site	Low-Medium	80-90
E-commerce	Medium	75-85
Financial services	High	70-80
Internal applications	High	60-70

Allowlist Legitimate Bots

Always allow these bot categories:

Search Engines (allow):

Googlebot
Bingbot
Yahoo! Slurp
DuckDuckBot
Baiduspider
YandexBot

Monitoring Services (allow):

Pingdom
UptimeRobot
StatusCake
New Relic
Datadog

Social Media (allow):

Facebook External Hit
Twitterbot
LinkedInBot
WhatsApp

Your Own Bots:

Add custom user agents to allowlist
Internal monitoring tools
Deployment scripts
API integrations

Start with Logging

Before enabling blocking:

Set to “Log Only” mode
Run for 1-2 weeks
Review detections
- Identify legitimate traffic being flagged
- Add to allowlist
Gradually lower threshold
Enable blocking once tuned

Monitor False Positive Rate

FP Rate	Action
< 1%	Good - maintain current settings
1-5%	Review allowlists and thresholds
> 5%	Lower sensitivity, raise threshold

Review High-Score Legitimate Traffic

Periodically check for:

Legitimate users with VPNs (common in corporate)
Users with strict privacy settings
Users from hosting/cloud IPs (developers)

Security Operations Integration

Alert Routing

Route detections to appropriate teams:

Score	Routing	Response
80-100	Security team (immediate)	Investigate within 1 hour
60-79	Security team (queue)	Review within 24 hours
40-59	Security monitoring	Weekly review
< 40	Logs only	Monthly trends

SIEM Integration

Send detections to your SIEM for correlation:

Splunk:

sourcetype=webdecoy
| stats count by mitre_tactic, threat_level
| where count > 10

Elastic:

{
  "query": {
    "bool": {
      "filter": [
        { "term": { "source": "webdecoy" } },
        { "range": { "threat_score": { "gte": 70 } } }
      ]
    }
  }
}

Incident Response Playbook

When high-severity detection occurs:

Assess - Review detection details
Validate - Confirm it’s not a false positive
Contain - Block IP if not already blocked
Investigate - Check for related activity
Document - Record incident details
Improve - Update rules/decoys based on findings

Metrics to Track

Metric	Target	Review Frequency
Total detections	Baseline + trend	Daily
High-severity (80+)	Minimize	Daily
False positives	< 1%	Weekly
Mean time to block	< 1 minute	Weekly
Coverage (decoys per area)	2-3 per area	Monthly

Reporting

Regular security reports should include:

Weekly:

Total detection count
High-severity breakdown
New attack patterns
Blocked IP count

Monthly:

MITRE tactic distribution
Geographic trends
False positive rate
Detection coverage assessment

Quarterly:

Year-over-year comparison
Attack sophistication trends
ROI metrics
Recommendations

General Best Practices

Decoy Management

Review and rotate decoys quarterly
Update decoy paths based on attack trends
Remove unused/expired decoys
Document decoy purposes
Test decoys after changes

Monitoring

Check detection dashboard daily
Review high-score detections immediately
Set up alerts for critical detections
Monitor false positive rate
Track detection trends

Maintenance

Keep WordPress plugin updated
Rotate API keys annually
Review integration health monthly
Test SSL certificate renewal
Update allowlists as needed

Security

Use strong, unique API keys
Enable two-factor where available
Limit API key scopes
Review user access regularly
Audit integration permissions

Quick Reference Card

Detection Response Guide

Score	Level	Color	Automated	Manual Action
81-100	CRITICAL	Red	Block	Investigate immediately
61-80	HIGH	Orange	Challenge/Block	Review within 24h
41-60	MEDIUM	Yellow	Log	Weekly review
21-40	LOW	Blue	Log	Monthly trends
0-20	MINIMAL	Green	Allow	No action needed

Recommended Configuration

Small Business Website:

Sensitivity: Medium
Block Threshold: 80
Rate Limit: 60/min
Decoys: 5-10
Bot Scanner: Enabled
Form Honeypots: Enabled

E-commerce Store:

Sensitivity: Medium-High
Block Threshold: 75
Rate Limit: 30/min
Decoys: 15-25
Bot Scanner: Enabled
Form Honeypots: Enabled
WooCommerce Protection: Enabled
Checkout Limit: 5/hour

Enterprise API:

Sensitivity: High
Block Threshold: 65
Rate Limit: 100/min
Decoys: 30+
Bot Scanner: Enabled (high sensitivity)
Endpoint Honeypots: 10+
Cloudflare Integration: Enabled
SIEM Integration: Enabled